CN112511559A - Method and system for detecting transverse moving attack of intranet - Google Patents

Method and system for detecting transverse moving attack of intranet Download PDF

Info

Publication number
CN112511559A
CN112511559A CN202011502958.2A CN202011502958A CN112511559A CN 112511559 A CN112511559 A CN 112511559A CN 202011502958 A CN202011502958 A CN 202011502958A CN 112511559 A CN112511559 A CN 112511559A
Authority
CN
China
Prior art keywords
attack
intranet
flow characteristic
vector
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011502958.2A
Other languages
Chinese (zh)
Other versions
CN112511559B (en
Inventor
王世阳
白文龙
刘汝隽
赵迪
高滢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202011502958.2A priority Critical patent/CN112511559B/en
Publication of CN112511559A publication Critical patent/CN112511559A/en
Application granted granted Critical
Publication of CN112511559B publication Critical patent/CN112511559B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the method and the system for detecting the transverse moving attack of the intranet, all flow characteristics in the intranet equipment are extracted; matching all the flow characteristics with a pre-established transverse mobile flow characteristic library; and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack. In the scheme provided by the embodiment of the invention, a pre-established transverse moving flow characteristic library is used for matching with all flow characteristics in the intranet equipment, and when the matching is successful, the attack purpose and the attack tool used in the intranet transverse moving attack can be determined, so that the aim of detecting the intranet transverse moving attack is fulfilled.

Description

Method and system for detecting transverse moving attack of intranet
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for detecting transverse movement attack of an intranet.
Background
The cross-mobile attack is a widely used technique in a complex intranet attack, and an attacker can use the attacked host as a springboard to access other hosts in the intranet, so as to expand the range of the attacked assets (including documents and stored certificates in the springboard machine). Through the transverse moving attack, an attacker can finally obtain the domain control authority so as to control all the devices, thereby achieving the purposes of stealing important data, residing an intranet system and the like and causing serious threats to the information security of organizations such as enterprises and the like. Therefore, the lateral mobile attack detection technology is very important for the construction of the enterprise network security defense system.
However, the conventional intrusion detection method is used for detecting external network attack intrusion, but cannot detect intranet lateral movement attack. In view of the above, a need exists in the art to provide a solution for detecting intranet lateral movement attacks.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and a system for detecting an intranet lateral movement attack, so as to achieve the purpose of detecting the intranet lateral movement attack.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiment of the invention discloses a method for detecting an intranet transverse movement attack, which comprises the following steps:
extracting all flow characteristics in the intranet equipment;
matching all the flow characteristics with a pre-established transverse mobile flow characteristic library, wherein the pre-established transverse mobile flow characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a flow characteristic vector list, and the flow characteristic vector list comprises a plurality of flow characteristic vectors;
and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
Optionally, the process of pre-establishing the lateral movement traffic feature library includes:
extracting attack flow characteristics generated when each attack tool with transversely moving inner network attacks the transversely moving inner network;
analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics;
constructing a corresponding flow characteristic vector list according to the established flow characteristic vectors;
and combining the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool to form an intranet attack vector triple serving as a transverse mobile flow characteristic library.
Optionally, the process of matching all the flow characteristics with a pre-established lateral movement flow characteristic library includes:
constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics;
matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one;
comparing each dimension value of each flow characteristic vector in a flow characteristic vector list in the attack vector triple used for matching with a dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list;
if the comparison results are the same, determining that the matching is successful;
and if the comparison results are different, determining that the matching fails.
Optionally, the method further includes:
acquiring a source IP and a target IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library;
and establishing a transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
Optionally, the method further includes:
and establishing a directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
The second aspect of the embodiment of the present invention discloses a system for detecting an intranet lateral movement attack, where the system includes:
the extraction unit is used for extracting all flow characteristics in the intranet equipment;
the matching unit is used for matching all the flow characteristics with a pre-established transverse mobile flow characteristic library, the pre-established transverse mobile flow characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a flow characteristic vector list, and the flow characteristic vector list comprises a plurality of flow characteristic vectors;
and the determining unit is used for determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
Optionally, the method further includes: a building unit, the building unit comprising:
the extraction module is used for extracting attack flow characteristics generated when each attack tool with transversely moving intranet performs transversely moving attack on the intranet;
the analysis module is used for analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics;
the first construction module is used for constructing a corresponding flow characteristic vector list according to the established flow characteristic vectors;
and the processing module is used for forming an intranet attack vector triple by the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool together and using the intranet attack vector triple as a transverse mobile flow characteristic library.
Optionally, the matching unit includes:
the second construction module is used for constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics;
the matching module is used for matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one; comparing each dimension value of each flow characteristic vector in a flow characteristic vector list in the attack vector triple used for matching with a dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list; if the comparison results are the same, determining that the matching is successful; and if the comparison results are different, determining that the matching fails.
Optionally, the method further includes:
the acquisition unit is used for acquiring a source IP and a target IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library;
and the first establishing unit is used for establishing the transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
Optionally, the method further includes:
and the second establishing unit is used for establishing the directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
Based on the method and the system for detecting the transverse movement attack of the intranet, provided by the embodiment of the invention, all flow characteristics in the intranet equipment are extracted; matching all the flow characteristics with a pre-established transverse mobile flow characteristic library, wherein the pre-established transverse mobile flow characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a flow characteristic vector list, and the flow characteristic vector list comprises a plurality of flow characteristic vectors; and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack. In the scheme provided by the embodiment of the invention, a pre-established transverse moving flow characteristic library is used for matching with all flow characteristics in the intranet equipment, and when the matching is successful, the attack purpose and the attack tool used in the intranet transverse moving attack can be determined, so that the aim of detecting the intranet transverse moving attack is fulfilled.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting an intranet lateral movement attack according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another method for detecting an intranet lateral movement attack according to an embodiment of the present invention;
fig. 3 is a network environment topology diagram of an intranet lateral movement attack according to an embodiment of the present invention;
fig. 4 is a directed graph of an intranet lateral movement attack according to an embodiment of the present invention;
fig. 5 is a block diagram of a system for detecting an intranet lateral movement attack according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein.
According to the background art, the traditional intrusion detection method is used for detecting external network attack intrusion, but cannot detect intranet transverse movement attack.
Therefore, the embodiment of the invention provides a method and a system for detecting an intranet transverse movement attack, so as to achieve the purpose of detecting the intranet transverse movement attack.
The following terms are specifically referred to in the embodiments of the present invention:
the transverse moving technology comprises the following steps: refers to a technique widely used in complex intranet attacks. When an attacker uses the technology to carry out lateral movement attack, the attacked system is taken as a springboard, other intranet hosts are accessed, and the asset range is expanded (comprising documents and stored certificates in the springboard system, and a database, a domain controller or other important assets connected through the springboard system).
Attack characteristics: the method refers to that an attacker can perform a series of operations on an attacked host machine in the process of completing the permission from the break of an external network boundary to the taking of a target host machine, such as remote access, webpage trojan horse writing, credential transfer and the like. During the operation of the attacking host, the attacked host generates corresponding information: host logs, host traffic, etc., which are the attack features. Through these attack signatures, an attacker can be detected.
Attack chain: in the process of network intrusion execution, an attacker breaks through the defense of each host by adopting various means in order to cross the deep defense system of an enterprise. Before entering the core system, an attacker can continuously enlarge the attack surface by continuously acquiring the authority (i.e. lateral movement) of other hosts in the area which is occupied. And representing the complete record of the transverse moving process of the attacker in the intranet in a form of a directed chain table, so that the attack chain of the attacker can be obtained.
The embodiment of the invention provides a method and a system for detecting an intranet transverse movement attack, and a specific implementation process is described by the following embodiments.
Fig. 1 is a schematic flow chart showing a method for detecting an intranet lateral movement attack according to an embodiment of the present invention. The method comprises the following steps:
s101: and extracting all flow characteristics in the intranet equipment.
In the process of specifically implementing step S101, the flow detection tool deployed in the intranet environment may be used to perform flow detection on the intranet equipment, and extract flow characteristics of all detected flows to obtain all flow characteristics.
S102: and matching all the flow characteristics with a pre-established transverse moving flow characteristic library.
In step S102, the pre-established transverse mobile traffic feature library includes a plurality of intranet attack vector triplets, each intranet attack vector triplet includes an attack purpose, an attack tool, and a traffic feature vector list, and the traffic feature vector list includes a plurality of traffic feature vectors.
In the process of specifically implementing step S102, a flow feature vector list corresponding to all the flow features obtained by executing step S101 may be constructed, and the flow feature vector list may be matched with a flow feature vector list in the transverse mobile flow feature library.
S103: and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
In the process of specifically implementing step S103, when the matching is successful based on the execution result of step S102, the attack purpose corresponding to the intranet attack vector triplet successfully matched in the transverse mobile traffic feature library is determined as the attack purpose used in the current intranet transverse mobile attack, and the attack tool corresponding to the intranet attack vector triplet successfully matched in the transverse mobile traffic feature library is determined as the attack tool used in the current intranet transverse mobile attack.
Based on the method for detecting the intranet lateral movement attack provided by the embodiment of the invention, the pre-established lateral movement flow characteristic library is used for matching with all flow characteristics in the intranet equipment, and when the matching is successful, the attack purpose and the attack tool used in the intranet lateral movement attack can be determined, so that the purpose of detecting the intranet lateral movement attack is realized.
Based on the method for detecting the intranet lateral movement attack provided by the embodiment of the present invention, the lateral movement traffic feature library related in step S102 is pre-established, and specifically, the process of pre-establishing the lateral movement traffic feature library includes the following steps:
s11: and extracting attack flow characteristics generated when each attack tool of the intranet transversely moves to carry out the intranet transversely moving attack.
In the process of specifically implementing step S11, the traffic detection tool is used to detect the attack traffic generated when each attack tool that the intranet moves laterally attacks the intranet, and extract the traffic characteristics of the detected attack traffic to obtain the attack traffic characteristics generated when each attack tool attacks the intranet laterally.
S12: and analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics.
Based on the attack traffic characteristics generated when each attack tool performs the intranet lateral movement attack obtained by executing step S11, the attack traffic characteristics generated by each attack tool are analyzed, and a traffic characteristic vector corresponding to the attack traffic characteristics generated by each attack tool is established. Optionally, if the traffic feature vector is a six-dimensional vector, the traffic feature vector may include a protocol, a communication domain name feature, a communication IP feature, a port feature, a content feature, and a transmission number. Specifically, S represents a flow feature vector, and the format of each flow feature vector is as follows:
and S is < protocol, communication domain name characteristic, communication IP characteristic, port characteristic, content characteristic and sending times >.
Taking the intranet forwarding tool ngrok as an example, if the intranet forwarding tool ngrok communication flow contains two flow characteristics:
the first flow characteristic is: ngrok uses IPv6 to communicate with external networks when forwarding traffic.
The second flow characteristic is: when the ngrok forwards the traffic, the communication address contains a character string 'ngrok'.
The established flow characteristic vector S1 corresponding to the first flow characteristic may be specifically expressed as:
S1=<IP,NULL,/^(([\da-fA-F]{1,4}):){8}$/,NULL,NULL,NULL>。
the established flow characteristic vector S2 corresponding to the second flow characteristic may be specifically expressed as:
S2=<HTTPS,/{.*}ngork/,NULL,NULL,NULL,NULL>。
s13: and constructing a corresponding flow characteristic vector list according to the established flow characteristic vector.
Based on the traffic feature vector corresponding to the attack traffic feature generated by each attack tool obtained by executing step S12, a traffic feature vector list corresponding to each attack tool is constructed. The list of traffic feature vectors is a set of traffic feature vectors.
S14: and combining the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool to form an intranet attack vector triple serving as a transverse mobile flow characteristic library.
Based on the traffic feature vector list corresponding to each attack tool obtained by executing step S13, the traffic feature vector list, the attack tool corresponding to the traffic feature vector list, and the attack purpose corresponding to the attack tool together form an intranet attack vector triple, and all the intranet attack vector triples formed are used as a lateral mobile traffic feature library.
Specifically, P represents an intranet attack vector triple, and the format thereof is as follows:
p ═ attack purpose, attack tool, traffic feature vector list >.
Similarly, taking the intranet forwarding tool ngrok as an example, the established intranet attack vector triplet P may be specifically expressed as:
p ═ traffic forwarding ', ' ngrok ', [ S1, S2, S3.. Sn ] >.
Specifically, M represents a transverse mobile traffic feature library, which is a set of intranet attack vector triples, and the format of the transverse mobile traffic feature library is as follows:
M={P0,P1,P2,...,Pn}。
wherein the value of n is a positive integer greater than 1.
In the embodiment of the invention, for each attack tool of the intranet transverse movement, the attack flow characteristics generated when the attack tool carries out the intranet transverse movement attack are extracted and analyzed, and the corresponding flow characteristic vector, the flow characteristic vector list and the intranet attack vector triple are constructed, so that a transverse movement flow characteristic library is established, the transverse movement flow characteristic library is subsequently used for carrying out flow characteristic matching, the condition of the intranet transverse movement attack can be determined according to the matching result, and the aim of detecting the intranet transverse movement attack is fulfilled.
Based on the method for detecting the intranet lateral movement attack provided by the embodiment of the present invention, the process of specifically executing step S102 to match all traffic characteristics with a pre-established lateral movement traffic characteristic library includes the following steps:
s21: and constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics.
In the process of implementing step S21 specifically, a flow feature vector corresponding to all the flow features is constructed according to all the flow features, and a flow feature vector list corresponding to the flow feature vector is constructed according to the obtained flow feature vector.
S22: and matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one.
In the process of specifically implementing step S22, the traffic feature vector list in each attack vector triple in the laterally moving traffic feature library is matched one by one with the traffic feature vector list obtained based on the execution of step S21. Specifically, each traffic feature vector in the traffic feature vector list in each attack vector triple for matching in the laterally moving traffic feature library is matched with each traffic feature vector in the traffic feature vector list obtained based on the execution of step S21 one by one.
And if each flow characteristic vector of the flow characteristic vector list in a certain attack vector triple for matching in the transverse mobile flow characteristic library is the same as the comparison result of each flow characteristic vector based on the flow characteristic vector list obtained by executing the step S21, determining that the matching is successful, otherwise, determining that the matching is failed.
To facilitate understanding of the above process of comparing flow feature vectors, the following description is given.
For example, the flow feature vector list L1 is compared with the flow feature vector list L2:
the flow feature vector list L1 represents a flow feature vector list in a certain attack vector triplet for matching in the traverse flow feature library, where L1 is [ S1, S2, S3], and the flow feature vector list L2 represents a flow feature vector list based on the implementation of step S21, and L2 is [ S4, S5, S6 ].
And when the comparison results of the flow characteristic vector S1 and the flow characteristic vector S4 are the same, the comparison results of the flow characteristic vector S2 and the flow characteristic vector S5 are the same, and the comparison results of the flow characteristic vector S3 and the flow characteristic vector S6 are the same, determining that the matching is successful.
The above matching procedure for the traffic feature vector list can be represented in pseudo-code as follows:
inputting: flow characteristic list L of certain attack and certain attack vector P
And (3) outputting: whether the characteristics L of the attack are consistent with the characteristics of the attack vector represented by the P
Figure BDA0002844142230000101
In the pseudo code, L represents a traffic feature vector list corresponding to an attack traffic feature constructed when an intranet lateral movement attack occurs, and P represents a traffic feature vector list in an attack vector triple in a lateral movement traffic feature library.
S23: and comparing each dimension value of each flow characteristic vector in the flow characteristic vector list in the attack vector triple used for matching with the dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list.
In the specific implementation of step S23, the attack vector triple used for matching in the traverse traffic feature library is compared with each dimension value of each traffic feature vector in the traffic feature vector list in the attack vector triple, and the dimension value that is not empty and has the same dimension based on each traffic feature vector in the traffic feature vector list obtained by performing step S21.
That is, the first dimension value to the sixth dimension value of each flow rate feature vector used for matching in the traverse flow rate feature library are compared with the first dimension value to the sixth dimension value of each flow rate feature vector in the flow rate feature vector list obtained by executing step S21, and when any one of the first dimension value to the sixth dimension value is empty in each flow rate feature vector in the flow rate feature vector list obtained by executing step S21, the one of the first dimension value to the sixth dimension value is not involved in the comparison. And if the comparison results of all the dimension values are the same, determining that the matching is successful, and if the comparison results of at least one dimension value are different, determining that the matching is failed.
In order to facilitate understanding of the above process of comparing the dimension values of the flow characteristic vector, the following further illustrates a comparative example of the flow characteristic vector S1 and the flow characteristic vector S4 in conjunction with an example of the process of performing step S22.
For example, the traffic feature vector S1 ═ a first protocol, a first communication domain name feature, a first communication IP feature, a first port feature, a first content feature, a first number of transmissions >
Traffic feature vector S4 ═ second protocol, second communication domain name feature, NULL >, and
the first dimension value, i.e., the first protocol, in the traffic feature vector S1 is compared to the first dimension value, i.e., the second protocol, in the traffic feature vector S4, and the second dimension value, i.e., the first communication domain name feature, in the traffic feature vector S1 is compared to the second dimension value, i.e., the second communication domain name feature, in the traffic feature vector S4. And if the comparison result of the first protocol is the same as that of the second protocol and the comparison result of the first communication domain name characteristic is the same as that of the second communication domain name characteristic, the matching is determined to be successful.
The above matching process of the traffic feature vector can be expressed by pseudo code as follows:
inputting: six-dimensional vectors S1 and S2 to be matched
And (3) outputting: boolean value, whether matching can be done
Figure BDA0002844142230000111
In the pseudo code, S1 represents a traffic feature vector corresponding to an attack traffic feature constructed when an intranet lateral movement attack occurs, and S2 represents a traffic feature vector in an attack vector triplet in a lateral movement traffic feature library.
In the embodiment of the invention, the purpose of detecting the intranet lateral movement attack is realized by constructing the flow characteristic vector list corresponding to all the flow characteristics in the intranet equipment, matching the flow characteristic vector list with the flow characteristic vector list in each attack vector triple in the lateral movement flow characteristic library, comparing each dimension value of each flow characteristic vector in the flow characteristic vector list in the attack vector triple used for matching with the dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list, and determining whether the matching is successful according to the comparison result so as to determine the situation of the intranet lateral movement attack.
Referring to fig. 2, a schematic flow diagram of another method for detecting an intranet lateral movement attack according to an embodiment of the present invention is shown. The method comprises the following steps:
s201: and extracting all flow characteristics in the intranet equipment.
S202: and matching all the flow characteristics with a pre-established transverse moving flow characteristic library.
S203: and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
For specific implementation of the processes from step S201 to step S203, reference may be made to the corresponding contents recorded in step S101 to step S103, which are not described herein again.
S204: and acquiring a source IP and a destination IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library.
In the process of specifically implementing step S204, when the matching is successful according to the result of executing step S202, the source IP and the destination IP corresponding to the source IP and the destination IP are obtained based on the traffic characteristics successfully matched with the traverse traffic characteristics library.
S205: and establishing a transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
In the process of implementing step S205 specifically, a horizontal movement four-dimensional vector is established based on the attack purpose and attack tool obtained by executing step S203, and based on the source IP and destination IP obtained by executing step S204.
To facilitate intuitive understanding of the relationship between the four-dimensional vector of lateral movement, the attack purpose, the attack tool, the source IP, and the destination IP, the four-dimensional vector of lateral movement is denoted by C, and the four-dimensional vector of lateral movement C may be in the form:
c ═ C (attack purpose, attack tool, Source IP, destination IP)
S206: and establishing a directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
In practical situations, a plurality of attack tools are generally used in one intranet lateral movement attack, each attack tool corresponds to an attack destination, a source IP and a destination IP, and therefore, a plurality of lateral movement four-dimensional vectors are generated in one intranet lateral movement attack, a lateral movement list is formed according to the plurality of lateral movement four-dimensional vectors, and a directed graph of the intranet lateral movement attack is established according to the lateral movement list.
To facilitate understanding of the relationship between the list of lateral movements and the four-dimensional vector of lateral movements, representing the list of lateral movements as W and the four-dimensional vector of lateral movements as C, the list of lateral movements W may be of the form:
W={C0,C1…Cn-1,Cn}
the process of building a directed graph of intranet lateral movement attacks can be represented in pseudo code as follows:
inputting: list of lateral movement vectors W
And (3) outputting: laterally moving map Res in dictionary format (key: value key pair), where key is source IP and value is destination IP list moved by the source IP
Figure BDA0002844142230000131
In the embodiment of the invention, a pre-established transverse moving flow characteristic library is used for matching with all flow characteristics in the intranet equipment, and when the matching is successful, the attack purpose and the attack tool used in the transverse moving attack of the intranet can be determined, so that the aim of detecting the transverse moving attack of the intranet is fulfilled; and by acquiring the source IP and the target IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library, a transverse mobile four-dimensional vector is established according to the attack purpose, the attack tool, the source IP and the target IP, and then a directed graph of the transverse mobile attack of the intranet is established, so that the purpose of tracing the transverse mobile attack of the intranet is realized.
Based on the above-mentioned method for detecting an intranet lateral movement attack provided by the embodiment of the present invention, a specific example is described below with reference to fig. 3 to describe a process of establishing a directed graph of the intranet lateral movement attack.
Referring to the network environment topology shown in fig. 3:
the host A is a Web server with deployed phpstudy, is provided with a self-contained firewall of Windows and accesses the Internet, and has an open 80-port, and the IP address is as follows: 192.168.17.12, respectively;
the B host is a domain control Server with a deployed Windows Server2008, does not access the Internet, and has an IP address as follows: 192.168.17.4, respectively;
c is a host with Windows deployed in the same domain, which is accessed to the Internet but has no sensitive port opened to the outside, and the IP address is as follows: 192.168.17.13.
the IP address used by the attacker is: 112.210.12.137, the process of network intrusion by the attacker is as follows:
an attacker discovers a phpmyadmin directory in a Web server, namely a host A, through directory scanning, and logs in through a weak password root/root;
after logging in, writing the global log into the webshell in a phpmyadmin directory, and connecting a wooden horse by using an ant sword to obtain a forward shell with an administeror right;
adding a new user by using the forward shell, using ngrok to forward the flow to bypass a firewall, and remotely logging in a host A through a 3389 port;
after logging in the host A, determining the intranet ip where the host A is located and whether a domain control server exists or not by collecting the information of the host A, and uploading a plaintext password grabbing tool to the host A to grab the plaintext password of the host A;
generating a Trojan by using Metasplait, uploading the Trojan to a host A, adding a route which can enable an attacker and a domain control server to be interconnected on the host A, and copying the Trojan to the domain control server, namely a host B and a host C by using an ipc pipeline;
and remotely executing the Trojan by using WMI, acquiring the rebound shell of the domain control server, namely the B host, and acquiring the system authority of the domain control server by using the meterperter.
Based on the above process of network intrusion by an attacker, the following analysis is carried out and a directed graph of the intranet transverse mobile attack is established:
1) through internet flow detection equipment, the flow of the Chinese ant sword is found, and the following transverse movement four-dimensional vector is established:
< getshell, ant sword, 112.210.12.137, 192.168.17.12>
2) And when the flux of ngrok is detected, establishing a transverse movement four-dimensional vector as follows:
< traffic Forwarding, ngrok, 192.168.17.12, some external IP >
3) And detecting the attack of the ipc, and establishing a transverse moving four-dimensional vector as follows:
< IPC pipe, IPC, 192.168.17.12, 192.168.17.4>
< IPC pipe, IPC, 192.168.17.12, 192.168.17.4>
4) Detecting the flow of the WMI remote execution command, establishing the following transverse movement four-dimensional vector:
< Trojan horse execution, WMI, 192.168.17.12, 192.168.17.4>
< Trojan horse execution, WMI, 192.168.17.12, 192.168.17.13>
5) According to the above four-dimensional vector of transverse movement, a finally established directed graph of the intranet transverse movement attack can be as shown in fig. 4.
In the embodiment of the invention, the purpose of tracing the source of the intranet transverse movement attack is achieved by determining the attack purpose, the attack tool, the source IP and the destination IP corresponding to the occurrence of the intranet transverse movement attack, establishing the transverse movement four-dimensional vector and further establishing the digraph of the intranet transverse movement attack.
The embodiment of the invention discloses a method for detecting the transverse moving attack of the intranet, and correspondingly, the embodiment of the invention also discloses a system for detecting the transverse moving attack of the intranet. Fig. 5 is a block diagram illustrating a structure of a system for detecting an intranet lateral movement attack according to an embodiment of the present invention.
The system comprises: an extraction unit 501, a matching unit 502 and a determination unit 503.
And an extracting unit 501, configured to extract all traffic characteristics in the intranet device.
The matching unit 502 is configured to match all the traffic features extracted by the extraction unit with a pre-established transverse mobile traffic feature library, where the pre-established transverse mobile traffic feature library includes a plurality of intranet attack vector triplets, each intranet attack vector triplet includes an attack purpose, an attack tool, and a traffic feature vector list, and the traffic feature vector list includes a plurality of traffic feature vectors.
A determining unit 503, configured to determine an attack purpose and an attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile traffic feature library as an attack purpose and an attack tool used in the current intranet transverse mobile attack.
Optionally, the system further comprises: a building unit; the construction unit includes:
and the extraction module is used for extracting attack flow characteristics generated when each attack tool of the intranet transversely moves to attack the intranet transversely.
And the analysis module is used for analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics.
And the first construction module is used for constructing a corresponding flow characteristic vector list according to the established flow characteristic vectors.
And the processing module is used for forming an intranet attack vector triple by the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool together and using the intranet attack vector triple as a transverse mobile flow characteristic library.
Optionally, the matching unit includes:
and the second construction module is used for constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics.
The matching module is used for matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one; comparing each dimension value of each flow characteristic vector in a flow characteristic vector list in the attack vector triple used for matching with a dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list; if the comparison results are the same, determining that the matching is successful; and if the comparison results are different, determining that the matching fails.
Optionally, the system further comprises: the device comprises an acquisition unit and a first establishing unit.
The acquiring unit is used for acquiring a source IP and a destination IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library.
The first establishing unit is used for establishing a transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
Optionally, the system further comprises: and a second establishing unit.
The second establishing unit is used for establishing a directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
The specific implementation principles of each unit and each module in the system for detecting an intranet lateral movement attack disclosed in the embodiment of the present invention may refer to corresponding contents in the method for detecting an intranet lateral movement attack disclosed in the embodiment of the present invention, and are not described herein again.
Based on the detection system for the transverse moving attack of the intranet, provided by the embodiment of the invention, all flow characteristics in the intranet equipment are extracted by an extraction unit; the method comprises the steps that a matching unit matches all traffic characteristics with a pre-established transverse mobile traffic characteristic library, wherein the pre-established transverse mobile traffic characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a traffic characteristic vector list, and the traffic characteristic vector list comprises a plurality of traffic characteristic vectors; and the determining unit determines the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack. In the scheme provided by the embodiment of the invention, a pre-established transverse moving flow characteristic library is used for matching with all flow characteristics in the intranet equipment, and when the matching is successful, the attack purpose and the attack tool used in the intranet transverse moving attack can be determined, so that the aim of detecting the intranet transverse moving attack is fulfilled.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for detecting transverse movement attack of an intranet is characterized by comprising the following steps:
extracting all flow characteristics in the intranet equipment;
matching all the flow characteristics with a pre-established transverse mobile flow characteristic library, wherein the pre-established transverse mobile flow characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a flow characteristic vector list, and the flow characteristic vector list comprises a plurality of flow characteristic vectors;
and determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
2. The method of claim 1, wherein pre-building a cross-mobile traffic profile library comprises:
extracting attack flow characteristics generated when each attack tool with transversely moving inner network attacks the transversely moving inner network;
analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics;
constructing a corresponding flow characteristic vector list according to the established flow characteristic vectors;
and combining the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool to form an intranet attack vector triple serving as a transverse mobile flow characteristic library.
3. The method of claim 1, wherein the process of matching all of the traffic characteristics to a pre-established library of lateral movement traffic characteristics comprises:
constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics;
matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one;
comparing each dimension value of each flow characteristic vector in a flow characteristic vector list in the attack vector triple used for matching with a dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list;
if the comparison results are the same, determining that the matching is successful;
and if the comparison results are different, determining that the matching fails.
4. The method of any of claims 1 to 3, further comprising:
acquiring a source IP and a target IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library;
and establishing a transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
5. The method of claim 4, further comprising:
and establishing a directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
6. A system for detecting a lateral movement attack on an intranet, the system comprising:
the extraction unit is used for extracting all flow characteristics in the intranet equipment;
the matching unit is used for matching all the flow characteristics with a pre-established transverse mobile flow characteristic library, the pre-established transverse mobile flow characteristic library comprises a plurality of intranet attack vector triplets, each intranet attack vector triplet comprises an attack purpose, an attack tool and a flow characteristic vector list, and the flow characteristic vector list comprises a plurality of flow characteristic vectors;
and the determining unit is used for determining the attack purpose and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse mobile flow characteristic library as the attack purpose and the attack tool used in the intranet transverse mobile attack.
7. The system of claim 6, further comprising: a building unit, the building unit comprising:
the extraction module is used for extracting attack flow characteristics generated when each attack tool with transversely moving intranet performs transversely moving attack on the intranet;
the analysis module is used for analyzing the attack traffic characteristics and establishing traffic characteristic vectors corresponding to the attack traffic characteristics;
the first construction module is used for constructing a corresponding flow characteristic vector list according to the established flow characteristic vectors;
and the processing module is used for forming an intranet attack vector triple by the flow characteristic vector list, the attack tool corresponding to the flow characteristic vector list and the attack purpose corresponding to the attack tool together and using the intranet attack vector triple as a transverse mobile flow characteristic library.
8. The system of claim 6, wherein the matching unit comprises:
the second construction module is used for constructing a flow characteristic vector list corresponding to all the flow characteristics according to all the flow characteristics;
the matching module is used for matching the flow characteristic vector list in each attack vector triple in the transverse mobile flow characteristic library with the flow characteristic vector list one by one; comparing each dimension value of each flow characteristic vector in a flow characteristic vector list in the attack vector triple used for matching with a dimension value which is not empty and has the same dimension of each flow characteristic vector in the flow characteristic vector list; if the comparison results are the same, determining that the matching is successful; and if the comparison results are different, determining that the matching fails.
9. The system of any one of claims 6 to 8, further comprising:
the acquisition unit is used for acquiring a source IP and a target IP corresponding to the traffic characteristics successfully matched with the transverse mobile traffic characteristic library;
and the first establishing unit is used for establishing the transverse movement four-dimensional vector according to the source IP, the target IP and the attack target and the attack tool corresponding to the intranet attack vector triple successfully matched in the transverse movement flow characteristic library.
10. The system of claim 9, further comprising:
and the second establishing unit is used for establishing the directed graph of the intranet transverse movement attack according to the transverse movement four-dimensional vector.
CN202011502958.2A 2020-12-17 2020-12-17 Method and system for detecting intranet lateral movement attack Active CN112511559B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011502958.2A CN112511559B (en) 2020-12-17 2020-12-17 Method and system for detecting intranet lateral movement attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011502958.2A CN112511559B (en) 2020-12-17 2020-12-17 Method and system for detecting intranet lateral movement attack

Publications (2)

Publication Number Publication Date
CN112511559A true CN112511559A (en) 2021-03-16
CN112511559B CN112511559B (en) 2023-06-16

Family

ID=74922334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011502958.2A Active CN112511559B (en) 2020-12-17 2020-12-17 Method and system for detecting intranet lateral movement attack

Country Status (1)

Country Link
CN (1) CN112511559B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363002A (en) * 2021-12-07 2022-04-15 绿盟科技集团股份有限公司 Method and device for generating network attack relation graph

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170289191A1 (en) * 2016-03-31 2017-10-05 Acalvio Technologies, Inc. Infiltration Detection and Network Rerouting
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN110519276A (en) * 2019-08-29 2019-11-29 中国科学院信息工程研究所 A method of detection Intranet transverse shifting attack
CN110677438A (en) * 2019-11-15 2020-01-10 杭州安恒信息技术股份有限公司 Attack chain construction method, device, equipment and medium
CN110875928A (en) * 2019-11-14 2020-03-10 北京神州绿盟信息安全科技股份有限公司 Attack tracing method, device, medium and equipment
CN110958257A (en) * 2019-12-06 2020-04-03 北京中睿天下信息技术有限公司 Intranet permeation process reduction method and system
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium
CN111756759A (en) * 2020-06-28 2020-10-09 杭州安恒信息技术股份有限公司 Network attack tracing method, device and equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170289191A1 (en) * 2016-03-31 2017-10-05 Acalvio Technologies, Inc. Infiltration Detection and Network Rerouting
CN109088901A (en) * 2018-10-31 2018-12-25 杭州默安科技有限公司 Deception defence method and system based on SDN building dynamic network
CN110519276A (en) * 2019-08-29 2019-11-29 中国科学院信息工程研究所 A method of detection Intranet transverse shifting attack
CN110875928A (en) * 2019-11-14 2020-03-10 北京神州绿盟信息安全科技股份有限公司 Attack tracing method, device, medium and equipment
CN110677438A (en) * 2019-11-15 2020-01-10 杭州安恒信息技术股份有限公司 Attack chain construction method, device, equipment and medium
CN110958257A (en) * 2019-12-06 2020-04-03 北京中睿天下信息技术有限公司 Intranet permeation process reduction method and system
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium
CN111756759A (en) * 2020-06-28 2020-10-09 杭州安恒信息技术股份有限公司 Network attack tracing method, device and equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363002A (en) * 2021-12-07 2022-04-15 绿盟科技集团股份有限公司 Method and device for generating network attack relation graph
CN114363002B (en) * 2021-12-07 2023-06-09 绿盟科技集团股份有限公司 Method and device for generating network attack relation diagram

Also Published As

Publication number Publication date
CN112511559B (en) 2023-06-16

Similar Documents

Publication Publication Date Title
JP6894003B2 (en) Defense against APT attacks
US11503044B2 (en) Method computing device for detecting malicious domain names in network traffic
Shetu et al. A survey of botnet in cyber security
Wang et al. Attack detection and distributed forensics in machine-to-machine networks
US8997236B2 (en) System, method and computer readable medium for evaluating a security characteristic
KR101689296B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN112019575B (en) Data packet processing method and device, computer equipment and storage medium
TWI674777B (en) Abnormal flow detection device and abnormal flow detection method thereof
US7463593B2 (en) Network host isolation tool
US20100212013A1 (en) Log-based traceback system and method using centroid decomposition technique
CN103595732B (en) A kind of method and device of network attack evidence obtaining
JP2008306706A (en) Method and apparatus for detecting anomaly in signaling flows
US11601457B2 (en) Network traffic correlation engine
JP2008011537A (en) Packet classification for network security device
Saboori et al. Automatic firewall rules generator for anomaly detection systems with Apriori algorithm
CN106506531A (en) The defence method and device of ARP attack messages
Le et al. Unsupervised monitoring of network and service behaviour using self organizing maps
CN110933032B (en) SSH path tracking method, system and medium
CN112511559B (en) Method and system for detecting intranet lateral movement attack
Debashi et al. Sonification of network traffic for detecting and learning about botnet behavior
Sukhni et al. A systematic analysis for botnet detection using genetic algorithm
AlZoubi et al. The effect of using honeypot network on system security
CN105791039B (en) A kind of suspicious tunnel detection method and system based on characteristic fragment self-discovery
Mane Detect and deactivate P2P Zeus bot
Cisco Working with Sensor Signatures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant